{"id":7115,"date":"2025-09-24T15:05:40","date_gmt":"2025-09-24T13:05:40","guid":{"rendered":"https:\/\/xopero.com\/blog\/?p=7115"},"modified":"2025-12-05T15:29:33","modified_gmt":"2025-12-05T14:29:33","slug":"nis2-directive","status":"publish","type":"post","link":"https:\/\/xopero.com\/blog\/en\/nis2-directive\/","title":{"rendered":"NIS2 in Practice: All You Need to Know"},"content":{"rendered":"\n<p>Dysfunctional gas stations. Paralysis of surgical procedures in hospitals. Inoperable ATMs. Does this sound like a scene from a doomsday movie? Not necessarily. This is what the day after a successful, multi-vector cyberattack on a country&#8217;s critical infrastructure could look like.<\/p>\n\n\n\n<p>Aware of constantly evolving cyber threats (e.g., ransomware) and increasingly frequent attacks on critical sectors, which pose a real threat to states and entire societies, EU authorities decided to systematically enforce the implementation of (better) cybersecurity capabilities on the most essential and vulnerable entities. That&#8217;s how the NIS2 directive came into being.<\/p>\n\n\n\n<!--more-->\n\n\n<div role=\"navigation\" aria-label=\"Spis tre\u015bci\" class=\"simpletoc wp-block-simpletoc-toc\"><h2 style=\"margin: 0;\"><button type=\"button\" aria-expanded=\"false\" aria-controls=\"simpletoc-content-container\" class=\"simpletoc-collapsible\">Spis tre\u015bci<span class=\"simpletoc-icon\" aria-hidden=\"true\"><\/span><\/button><\/h2><div id=\"simpletoc-content-container\" class=\"simpletoc-content\"><ul class=\"simpletoc-list\">\n<li><a href=\"#what-is-the-nis2-directive-in-a-nutshell\">What Is the NIS2 Directive in a Nutshell?<\/a>\n\n\n<ul><li>\n<a href=\"#is-the-nis2-directive-in-force-now\">Is the NIS2 Directive in Force Now?<\/a>\n\n<\/li>\n<\/ul>\n<li><a href=\"#who-needs-to-comply-with-nis2-and-who-it-isnt-mandatory-for\">Who Needs to Comply with NIS2, and Who It Isn&#8217;t Mandatory For?<\/a>\n\n\n<ul><li>\n<a href=\"#criterion-of-belonging-to-a-critical-sector\">Criterion of Belonging to a Critical Sector<\/a>\n\n<\/li>\n<li><a href=\"#the-entity-size-and-other-criteria\">The Entity Size and Other Criteria<\/a>\n\n<\/li>\n<\/ul>\n<li><a href=\"#what-penalties-and-sanctions-apply-for-noncompliance-with-nis2\">What Penalties and Sanctions Apply for Non-Compliance with NIS2?<\/a>\n\n<\/li>\n<li><a href=\"#what-are-the-requirements-for-nis2-and-how-to-meet-them\">What Are the Requirements for NIS2 and How to Meet Them?<\/a>\n\n\n<ul><li>\n<a href=\"#staying-compliant-with-nis2-vs-the-iso-27001-standard\">Staying Compliant with NIS2 vs. the ISO 27001 Standard<\/a>\n\n<\/li>\n<\/ul>\n<li><a href=\"#the-nis2-directive-as-an-opportunity-for-better-cyber-resilience\">The NIS2 Directive as an Opportunity for Better Cyber Resilience<\/a>\n<\/li><\/ul><\/div><\/div>\n\n<h2 class=\"wp-block-heading\" id=\"what-is-the-nis2-directive-in-a-nutshell\">What Is the NIS2 Directive in a Nutshell?<\/h2>\n\n\n<p>NIS2 (Network and Information Systems Directive 2) is a directive* of the European Parliament and the EU Council aimed at strengthening cyber resilience and achieving a high common level of cybersecurity capabilities for organizations providing essential services in the EU economy.<\/p>\n\n\n\n<p>It&#8217;s worth noting that these are not the only goals of NIS2. Another one, just as important, is the standardization of security measures, as subtly hinted by the adjective &#8222;common&#8221; in the definition above. This is because the previous directive, NIS1 from 2016, gave EU member states a lot of freedom in this regard. As a result, the level of security could differ drastically between key entities, a gap that cybercriminals could easily exploit.<\/p>\n\n\n\n<p>* Directive (EU) 2022\/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910\/2014 and Directive (EU) 2018\/1972, and repealing Directive (EU) 2016\/1148 (NIS 2 Directive) \u2013 the full text of the legal act is available at <a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32022L2555\" target=\"_blank\" rel=\"noreferrer noopener\">this link<\/a>.<\/p>\n\n\n<h3 class=\"wp-block-heading\" id=\"is-the-nis2-directive-in-force-now\">Is the NIS2 Directive in Force Now?<\/h3>\n\n\n<p>NIS2 was adopted by the European Parliament and the EU Council on December 14, 2022, and came into force on January 16, 2023. EU member states were required to transpose it to their national legislation by October 17, 2024. However, since the process of adopting NIS2 is legally and operationally complex, not all states met this deadline.<\/p>\n\n\n\n<p>If your organization operates in Belgium, Croatia, Denmark, Estonia, Finland, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Portugal, Romania, Slovakia, or Slovenia, the NIS2 directive is already in force and you are required to comply with the national laws that have transposed it.<\/p>\n\n\n\n<p>On the other hand, if you&#8217;re based in a member state not listed above, NIS2 obligations are still not binding on your organization. However, it&#8217;s definitely a good idea to ensure NIS2 compliance as fast as possible, because it requires multiple complex measures and takes a lot of time. To stay informed, you can also follow updates on your local government&#8217;s legislative updates website.&nbsp;<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"who-needs-to-comply-with-nis2-and-who-it-isnt-mandatory-for\">Who Needs to Comply with NIS2, and Who It Isn&#8217;t Mandatory For?<\/h2>\n\n\n<p>Before you dive into implementation, check if the NIS2 directive applies to your organization by analyzing the following criteria.<\/p>\n\n\n<h3 class=\"wp-block-heading\" id=\"criterion-of-belonging-to-a-critical-sector\">Criterion of Belonging to a Critical Sector<\/h3>\n\n\n<p>NIS2 was created to protect strategic areas of the economy, so the directive applies to organizations that belong to the so-called <strong>sectors of high criticality <\/strong>(most important) and <strong>other critical sectors <\/strong>sectors:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sectors of high criticality:\n<ul class=\"wp-block-list\">\n<li><strong>Energy <\/strong>\u2013 electricity, district heating and cooling, oil, gas, or hydrogen processing<\/li>\n\n\n\n<li><strong>Transport<\/strong> \u2013 air, rail, water, road<\/li>\n\n\n\n<li><strong>Banking<\/strong><\/li>\n\n\n\n<li><strong>Financial market infrastructures<\/strong> \u2013 operators of trading venues and central counterparties (CCP) in the financial sector<\/li>\n\n\n\n<li><strong>Health<\/strong> \u2013 hospitals, laboratories, manufacturers of pharmaceuticals and critical medical devices<\/li>\n\n\n\n<li><strong>Water supply<\/strong><\/li>\n\n\n\n<li><strong>Waste treatment<\/strong><\/li>\n\n\n\n<li><strong>Digital infrastructure<\/strong> (digital service providers) \u2013 internet exchange point providers, including DNS providers, TLD domain registries, cloud providers, data center providers, CDN network providers, trust service providers, providers of communication networks<\/li>\n\n\n\n<li><strong>ICT service management (B2B)<\/strong> \u2013 managed service providers, including in the area of security<\/li>\n\n\n\n<li><strong>Public entities\/public administration entities<\/strong><\/li>\n\n\n\n<li><strong>Space<\/strong> \u2013 entities that support the provision of space services<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Other critical sectors:\n<ul class=\"wp-block-list\">\n<li><strong>Postal and courier services<\/strong><\/li>\n\n\n\n<li><strong>Waste management<\/strong><\/li>\n\n\n\n<li><strong>Manufacture, production and distribution of chemicals<\/strong><\/li>\n\n\n\n<li><strong>Production, processing and distribution of food<\/strong><\/li>\n\n\n\n<li><strong>Manufacturing <\/strong>\u2013 medical devices, computers, consumer electronics, optical devices, electrical equipment, machinery and equipment, motor vehicles, trailers, other transport equipment<\/li>\n\n\n\n<li><strong>Digital providers<\/strong> \u2013 providers of online marketplaces, search engines, and social networking platforms<\/li>\n\n\n\n<li><strong>Research<\/strong> \u2013 research organizations<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n<h3 class=\"wp-block-heading\" id=\"the-entity-size-and-other-criteria\">The Entity Size and Other Criteria<\/h3>\n\n\n<p>Now that you know which sectors are covered by NIS2, let&#8217;s check the other criteria that ultimately qualify your organization as subject to the provisions of this directive. The table below will help you with this:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>Type of an entity<\/strong><\/th><th><strong>Size criteria<\/strong><\/th><th><strong>Other criteria<\/strong><\/th><th><strong>Is subject to NIS2?<\/strong><\/th><\/tr><\/thead><tbody><tr><td>Large<\/td><td>\u2265250 employees <strong>or<\/strong>&nbsp;\u226550 million EUR of annual turnover<\/td><td>&#8211;<\/td><td>\u2705 <strong>Yes<\/strong>, if it operates in a sector of high criticality or other critical sector.<\/td><\/tr><tr><td>Medium<\/td><td>\u226550 employees <strong>or<\/strong>&nbsp;\u226510 million EUR of annual turnover<\/td><td>&#8211;<\/td><td>\u2705 <strong>Yes<\/strong>, if it operates in a sector of high criticality or other critical sector.<\/td><\/tr><tr><td>Small\/Micro<\/td><td>&lt;50 employees <strong>and<\/strong> &lt;10 million EUR of annual turnover<\/td><td>&#8211; Provides services of critical importance.<br>&#8211; Is the sole provider in the country.<br>&#8211; Is important for public safety.<br>&#8211; Belongs to the supply chain of an essential\/important entity.<br>&#8211; Has been deemed an essential or important entity by a decision of a competent national authority.<\/td><td>\u26a0\ufe0f <strong>Yes<\/strong>, if it operates in a sector of high criticality or other critical sector, and meets at least one of the other criteria.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>As you can see, meeting the criteria of a) belonging to one of the strategic sectors and b) the size criteria automatically brings an organization under NIS2&#8217;s provisions. In this case, such an organization is considered an<strong> essential entity<\/strong> (operates in a sector of high criticality) or an <strong>important entity<\/strong> (operates in other critical sector).<\/p>\n\n\n\n<p>For small and micro-enterprises that do not meet the size criteria but operate in a strategic sector of the economy, being subject to NIS2 depends on meeting additional criteria and the decision of a competent national authority.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"what-penalties-and-sanctions-apply-for-noncompliance-with-nis2\">What Penalties and Sanctions Apply for Non-Compliance with NIS2?<\/h2>\n\n\n<p>According to the European Union doctrine, sanctions must be &#8222;effective, proportionate, and dissuasive.&#8221; And, indeed, the financial penalties certainly reflect this doctrine. It&#8217;s worth adding that the final amount of a financial penalty is influenced by factors such as the type of entity and the scale of violation:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Essential entity<\/strong>:<strong> up to 10 million EUR<\/strong> or <strong>2% of the total worldwide annual turnover<\/strong>, whichever is higher<\/li>\n\n\n\n<li><strong>Important entity<\/strong>: <strong>up to 7 million EUR<\/strong> or <strong>1,4% of the total worldwide annual turnover, <\/strong>whichever is higher<\/li>\n<\/ul>\n\n\n\n<p>In addition to financial penalties, severe administrative and even personal liability sanctions apply as well:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Withdrawal of permits\/certifications<\/strong><\/li>\n\n\n\n<li><strong>Ban on holding management positions<\/strong> (for management board members responsible for violations)<\/li>\n\n\n\n<li><strong>A fine of up to 300% of the monthly salary<\/strong> (for managers), which applies when negligence directly affects public safety or health.<\/li>\n<\/ul>\n\n\n\n<p>Of course, sanctioned organizations must implement corrective actions.<\/p>\n\n\n\n<p>But this isn\u2019t the end of it. Member states can introduce additional sanctions &#8222;independently.&#8221; For example, in Poland, plans include measures such as a fine of up to 25 million EUR and the possibility of temporary suspension of operations.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"what-are-the-requirements-for-nis2-and-how-to-meet-them\">What Are the Requirements for NIS2 and How to Meet Them?<\/h2>\n\n\n<p>As you can see, the consequences can be truly severe, not to mention intangible losses such as damage to reputation or customer trust. So, it\u2019s now time to check what compliance obligations are placed on organizations covered by NIS2. This will help you move on to the phase of developing an implementation plan and specific cybersecurity risk management measures.<\/p>\n\n\n\n<p>The NIS directive itself does not specify the requirements due to vastly different business specifics and risk levels in individual sectors. Instead, Article 21 lists the areas that need to be addressed, while also indicating that the technical, organizational, and operational measures implemented must be appropriate and proportionate.<\/p>\n\n\n\n<p>To give these recommendations a more concrete form, we have prepared a table below with a list of the aforementioned areas along with examples of specific cybersecurity measures\/actions that can be implemented in those areas.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>An Area Defined in Art. 21 of the NIS2 Directive<\/strong><\/th><th><strong>Cybersecurity Measures\/Actions During Implementation<\/strong><\/th><th><strong>Cybersecurity Measures\/Actions After Implementation<\/strong><\/th><\/tr><\/thead><tbody><tr><td>Policies on risk analysis and information system security<\/td><td>\u2013 Develop a risk analysis policy.<br>\u2013 Develop an information systems security policy.<br>\u2013 Appoint a cybersecurity contact person.<\/td><td>\u2013 Conduct regular risk analyses.<br>\u2013 Submit periodic reports (at the request of a national supervisory authority).<\/td><\/tr><tr><td>Incident handling<\/td><td>\u2013 Document and implement a computer security incident management process.<br>\u2013 Appoint people responsible for incident handling.<br>\u2013 Develop a procedure describing incident reporting to a Computer Security Incident Response Team (CSIRT).<br>\u2013 Implement tools to automate incident response, e.g., Security Orchestration, Automation and Response (SOAR).<\/td><td>\u2013 Monitor and detect cybersecurity incidents, e.g., using Security Information and Event Management (SIEM) tools.<br>\u2013 Submit an early warning (<strong>within 24 h of becoming aware of a significant incident<\/strong>).<br>\u2013 Create and submit an incident notification (<strong>within 72 h<\/strong>&nbsp;<strong>of becoming aware of the significant incident<\/strong>).<br>\u2013 Create and send a final report (<strong>within 1 month of the incident notification<\/strong>).<br>\u2013 Perform a post-mortem analysis to understand what happened.<\/td><\/tr><tr><td>Business continuity, such as backup management and disaster recovery, and crisis management.<\/td><td>\u2013 Develop a business continuity plan containing emergency, recovery, and disruption minimization procedures.<br>\u2013 Implement software or a comprehensive solution for creating and restoring backups, e.g.,&nbsp;<a href=\"https:\/\/xopero.com\/solutions\/data-protection\/xopero-unified-protection\/\">Xopero Unified Protection<\/a>&nbsp;or&nbsp;<a href=\"https:\/\/xopero.com\/solutions\/data-protection\/xopero-one-backup-recovery\/\">Xopero One Backup&amp;Recovery<\/a>.<br>\u2013 Establish a crisis team and communication procedures for crisis situations.<\/td><td>\u2013 Regularly perform backups of the organization\u2019s data.<br>\u2013 Securely store copies outside the organization\u2019s infrastructure, e.g., using the 3-2-1 model.<br>\u2013 Test data restoration from a backup.<br>\u2013 In the case of an incident, assess its potential financial and operational impact.<\/td><\/tr><tr><td>Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.<\/td><td>\u2013 Conduct a risk analysis of suppliers\/service providers to ensure supply chain security.<br>\u2013 Implement procedures to identify and manage risk throughout the supply chain.<br>\u2013 Conclude contracts that clearly specify cybersecurity requirements.<\/td><td>\u2013 Monitor compliance with cybersecurity requirements of suppliers\/service providers.<br>\u2013 Cooperate and communicate with suppliers\/service providers to take coordinated steps in the case of an incident.&nbsp;<\/td><\/tr><tr><td>Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.<\/td><td>\u2013 Verify suppliers for applying appropriate security measures, obtaining certificates, etc.<br>\u2013 Implement Extended Detection and Response (XDR) and Mobile Device Management (MDM) solutions to protect endpoints and mobile devices.<\/td><td>\u2013 Monitor and detect incidents, e.g., using Security Information and Event Management (SIEM) tools.<br>\u2013 Manage vulnerabilities by monitoring, identifying, and eliminating them.<br>\u2013 Conduct regular security audits and configuration reviews, at least once every 24 months.<br>\u2013 Securely develop proprietary products (the secure by design rule); this measure applies to, among others, software companies.<\/td><\/tr><tr><td>Policies and procedures to assess the effectiveness of cybersecurity risk management measures.<\/td><td>\u2013 Conduct an analysis of risks relevant to your business activity to identify and mitigate them.<br>\u2013 Develop key performance indicators (KPIs) to assess implemented security measures.<\/td><td>\u2013 Conduct regular audits assessing compliance with policies.<br>\u2013 Conduct penetration tests to check digital infrastructure integrity.<\/td><\/tr><tr><td>Basic cyber hygiene practices and cybersecurity training.<\/td><td>\u2013 Conduct initial training on cybersecurity (e.g., identifying cyber threats, password management, data protection on devices) for employees.<br>\u2013 Conduct training for the management board on the obligations imposed by the NIS2 directive.<br>\u2013 Conduct knowledge tests.<\/td><td>\u2013 Conduct regular \u201crefresher\u201d training sessions.<br>\u2013 Conduct simulated phishing attacks to identify individuals needing additional training.<br>\u2013 Raise awareness of cyber threats through newsletters, posters, campaigns promoting basic cyber hygiene rules, etc.&nbsp;<\/td><\/tr><tr><td>Policies and procedures regarding the use of cryptography and, where appropriate, encryption.<\/td><td>\u2013 Develop a cryptography policy (when and how to encrypt data).<br>\u2013 Implement proven and certified cryptographic tools.<br>\u2013 Develop SSL\/TLS certificate management systems to prevent their expiration and exposing your communication to attack.<\/td><td>\u2013 Encrypt data in transit (e.g., in networks) and at rest (e.g., encrypting hard drives, backups).<br>\u2013 Renew encryption certificates.<\/td><\/tr><tr><td>Human resources security, access control policies and asset management.<\/td><td>\u2013 Develop security procedures for employee hiring and dismissal.<br>\u2013 Develop a procedure for accessing organization\u2019s offices.<br>\u2013 Implement an Identity and Access Management (IAM) solution.<br>\u2013 Create an inventory of IT assets (e.g., computers, mobile devices).<\/td><td>\u2013 Verify candidates and timely revoke permissions upon dismissal.<br>\u2013 Apply the \u201cprinciple of least privilege.\u201d<br>\u2013 Centrally manage identity and access through IAM.<br>\u2013 Regularly update the asset inventory.<br>\u2013 Securely decommission systems.<\/td><\/tr><tr><td>The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.<\/td><td>\u2013 Implement multi-factor authentication (MFA) and train users on it.<br>\u2013 Implement continuous authentication solutions (monitoring user behavior and prompting for authentication in the case of a suspicion).<br>\u2013 Prepare special communication channels for emergency situations.<\/td><td>\u2013 Monitor if every user uses MFA and track user behaviors.<br>\u2013 Activate and use the special communication channels in the case of an emergency.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The number of possible cybersecurity measures\/actions can be overwhelming. However, the final scope of implementation will depend on the nature and complexity of your organization, as well as data and assets that require protection within it.<\/p>\n\n\n\n<p>To facilitate the coordination of these tasks, we have prepared a sample checklist that you can print, customize to your needs, and use to oversee your readiness for NIS2.<\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-16018d1d wp-block-buttons-is-layout-flex\" style=\"text-decoration:none\">\n<div class=\"wp-block-button is-style-fill\"><a class=\"wp-block-button__link has-white-color has-text-color has-background has-link-color wp-element-button\" href=\"https:\/\/xopero.com\/blog\/wp-content\/uploads\/2025\/09\/NIS2-implementation-checklist.docx\" style=\"border-top-left-radius:10px;border-top-right-radius:10px;border-bottom-left-radius:10px;border-bottom-right-radius:10px;background-color:#1076b0;text-transform:none\">Download NIS2 checklist<\/a><\/div>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\" id=\"staying-compliant-with-nis2-vs-the-iso-27001-standard\">Staying Compliant with NIS2 vs. the ISO 27001 Standard<\/h3>\n\n\n<p>If information security has always been a core value of your organization, you may have already implemented the&nbsp;<a href=\"https:\/\/xopero.com\/blog\/en\/xopero-software-completes-its-iso-27001-audit-successfully\/\">ISO 27001 standard<\/a> that defines the requirements for an Information Security Management System (ISMS). By regulating areas such as risk management, security policies and controls, incident response procedures, documentation and reporting obligations, and continuous improvement and training, the standard can greatly support you in ensuring compliance with NIS2 and save you a lot of work when it comes to implementing individual measures or actions.<\/p>\n\n\n\n<p>It\u2019s worth remembering this to make the most of the resources you already have at your disposal.&nbsp;<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"the-nis2-directive-as-an-opportunity-for-better-cyber-resilience\">The NIS2 Directive as an Opportunity for Better Cyber Resilience<\/h2>\n\n\n<p>Penalties, requirements\u2026 all of this can be overwhelming and create a negative mindset. However, it\u2019s worth looking at the NIS2 directive not as an unpleasant obligation, but as an opportunity to strengthen organization\u2019s cyber resilience. In the long run, it may save you a lot of unpleasant experiences, stress, and extra work related to dealing with and eliminating the consequences of cyberattacks.<\/p>\n\n\n\n<p>At the same time, it\u2019s important to remember that you don\u2019t have to do everything yourself. Many of the measures required under NIS2, especially those in the post-implementation phase, can be carried out using solutions from proven providers.<\/p>\n\n\n\n<p>Xopero\u2014as a data backup expert\u2014can help you meet the requirements in the area of ensuring business continuity (creating, testing, and restoring&nbsp;<a href=\"https:\/\/xopero.com\/blog\/en\/full-copy-incremental-copy-and-differential-copy-backup-types\/\">data backups<\/a>, related reporting\/auditing). For example, by choosing&nbsp;<strong>Xopero Unified Protection<\/strong>&nbsp;(a scalable enterprise-class hardware and software platform for data backup and&nbsp;<a href=\"https:\/\/xopero.com\/blog\/en\/disaster-recovery-part-i-organisational-aspects\/\">disaster recovery<\/a>), you get a number of valuable benefits, such as protection against huge financial losses and loss of trust\/reputation, or\u2014from an IT admin\u2019s point of view\u2014instant plug-and-play experience. Not to mention other advanced and innovative features that you can check out on the <a href=\"https:\/\/xopero.com\/solutions\/data-protection\/xopero-unified-protection\/\">website dedicated to our backup appliance<\/a>.<\/p>\n\n\n\n<p>Learn about our offer and see how we can support you both in the context of NIS2 and in the broader sense of your organization\u2019s data security.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dysfunctional gas stations. Paralysis of surgical procedures in hospitals. Inoperable ATMs. Does this sound like a scene from a doomsday movie? Not necessarily. This is what the day after a successful, multi-vector cyberattack on a country&#8217;s critical infrastructure could look like. Aware of constantly evolving cyber threats (e.g., ransomware) and increasingly frequent attacks on critical sectors, which pose a real threat to states and entire societies, EU authorities decided to systematically enforce the implementation of (better) cybersecurity capabilities on the most essential and vulnerable entities. That&#8217;s how the NIS2 directive came into being.<\/p>\n","protected":false},"author":15,"featured_media":7352,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[655],"tags":[],"class_list":["post-7115","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyberlaw","post--single"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Your complete guide to the NIS2 directive<\/title>\n<meta name=\"description\" content=\"Learn what NIS2 directive is, whether it is in force, who it applies to, what the applicable penalties and the requirements for it.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xopero.com\/blog\/en\/nis2-directive\/\" \/>\n<meta property=\"og:locale\" content=\"pl_PL\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Your complete guide to the NIS2 directive\" \/>\n<meta property=\"og:description\" content=\"Learn what NIS2 directive is, whether it is in force, who it applies to, what the applicable penalties and the requirements for it.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xopero.com\/blog\/en\/nis2-directive\/\" \/>\n<meta property=\"og:site_name\" content=\"Xopero Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/XoperoSoftware\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-09-24T13:05:40+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-05T14:29:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xopero.com\/blog\/wp-content\/uploads\/2025\/10\/all-to-know-about-nis2-directive-new.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"600\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"\u0141ukasz Dydek, Technical Content Writer\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xoperobackup\" \/>\n<meta name=\"twitter:site\" content=\"@xoperobackup\" \/>\n<meta name=\"twitter:label1\" content=\"Napisane przez\" \/>\n\t<meta name=\"twitter:data1\" content=\"\u0141ukasz Dydek, Technical Content Writer\" \/>\n\t<meta name=\"twitter:label2\" content=\"Szacowany czas czytania\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minut\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/en\\\/nis2-directive\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/en\\\/nis2-directive\\\/\"},\"author\":{\"name\":\"\u0141ukasz Dydek, Technical Content Writer\",\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/#\\\/schema\\\/person\\\/608de6d75eb1ac2a48799895263fc00d\"},\"headline\":\"NIS2 in Practice: All You Need to Know\",\"datePublished\":\"2025-09-24T13:05:40+00:00\",\"dateModified\":\"2025-12-05T14:29:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/en\\\/nis2-directive\\\/\"},\"wordCount\":2496,\"publisher\":{\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/en\\\/nis2-directive\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/xopero.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/all-to-know-about-nis2-directive-new.png\",\"articleSection\":[\"Cyberlaw\"],\"inLanguage\":\"pl-PL\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/en\\\/nis2-directive\\\/\",\"url\":\"https:\\\/\\\/xopero.com\\\/blog\\\/en\\\/nis2-directive\\\/\",\"name\":\"Your complete guide to the NIS2 directive\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/en\\\/nis2-directive\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/en\\\/nis2-directive\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/xopero.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/all-to-know-about-nis2-directive-new.png\",\"datePublished\":\"2025-09-24T13:05:40+00:00\",\"dateModified\":\"2025-12-05T14:29:33+00:00\",\"description\":\"Learn what NIS2 directive is, whether it is in force, who it applies to, what the applicable penalties and the requirements for it.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/en\\\/nis2-directive\\\/#breadcrumb\"},\"inLanguage\":\"pl-PL\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/xopero.com\\\/blog\\\/en\\\/nis2-directive\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"pl-PL\",\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/en\\\/nis2-directive\\\/#primaryimage\",\"url\":\"https:\\\/\\\/xopero.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/all-to-know-about-nis2-directive-new.png\",\"contentUrl\":\"https:\\\/\\\/xopero.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/all-to-know-about-nis2-directive-new.png\",\"width\":1200,\"height\":600,\"caption\":\"Your complete guide to the NIS2 directive\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/en\\\/nis2-directive\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Strona g\u0142\u00f3wna\",\"item\":\"https:\\\/\\\/xopero.com\\\/blog\\\/pl\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"NIS2 in Practice: All You Need to Know\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/xopero.com\\\/blog\\\/\",\"name\":\"Xopero Blog\",\"description\":\"Backup &amp; Recovery\",\"publisher\":{\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/xopero.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"pl-PL\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/#organization\",\"name\":\"Xopero Software\",\"url\":\"https:\\\/\\\/xopero.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pl-PL\",\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/xopero.com\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/03\\\/xopero-niebieskie.png\",\"contentUrl\":\"https:\\\/\\\/xopero.com\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/03\\\/xopero-niebieskie.png\",\"width\":500,\"height\":132,\"caption\":\"Xopero Software\"},\"image\":{\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/XoperoSoftware\\\/\",\"https:\\\/\\\/x.com\\\/xoperobackup\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/opero-sp-z-o-o-\\\/?viewAsMember=true\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UCRPWyeo1apjSgkDW3hZpB9g?reload=9\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/#\\\/schema\\\/person\\\/608de6d75eb1ac2a48799895263fc00d\",\"name\":\"\u0141ukasz Dydek, Technical Content Writer\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pl-PL\",\"@id\":\"https:\\\/\\\/xopero.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/Lukasz-dydek-technical-content-writer_avatar.jpg\",\"url\":\"https:\\\/\\\/xopero.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/Lukasz-dydek-technical-content-writer_avatar.jpg\",\"contentUrl\":\"https:\\\/\\\/xopero.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/Lukasz-dydek-technical-content-writer_avatar.jpg\",\"caption\":\"\u0141ukasz Dydek, Technical Content Writer\"},\"url\":\"https:\\\/\\\/xopero.com\\\/blog\\\/author\\\/lukasz-dydek\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Your complete guide to the NIS2 directive","description":"Learn what NIS2 directive is, whether it is in force, who it applies to, what the applicable penalties and the requirements for it.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xopero.com\/blog\/en\/nis2-directive\/","og_locale":"pl_PL","og_type":"article","og_title":"Your complete guide to the NIS2 directive","og_description":"Learn what NIS2 directive is, whether it is in force, who it applies to, what the applicable penalties and the requirements for it.","og_url":"https:\/\/xopero.com\/blog\/en\/nis2-directive\/","og_site_name":"Xopero Blog","article_publisher":"https:\/\/www.facebook.com\/XoperoSoftware\/","article_published_time":"2025-09-24T13:05:40+00:00","article_modified_time":"2025-12-05T14:29:33+00:00","og_image":[{"width":1200,"height":600,"url":"https:\/\/xopero.com\/blog\/wp-content\/uploads\/2025\/10\/all-to-know-about-nis2-directive-new.png","type":"image\/png"}],"author":"\u0141ukasz Dydek, Technical Content Writer","twitter_card":"summary_large_image","twitter_creator":"@xoperobackup","twitter_site":"@xoperobackup","twitter_misc":{"Napisane przez":"\u0141ukasz Dydek, Technical Content Writer","Szacowany czas czytania":"11 minut"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xopero.com\/blog\/en\/nis2-directive\/#article","isPartOf":{"@id":"https:\/\/xopero.com\/blog\/en\/nis2-directive\/"},"author":{"name":"\u0141ukasz Dydek, Technical Content Writer","@id":"https:\/\/xopero.com\/blog\/#\/schema\/person\/608de6d75eb1ac2a48799895263fc00d"},"headline":"NIS2 in Practice: All You Need to Know","datePublished":"2025-09-24T13:05:40+00:00","dateModified":"2025-12-05T14:29:33+00:00","mainEntityOfPage":{"@id":"https:\/\/xopero.com\/blog\/en\/nis2-directive\/"},"wordCount":2496,"publisher":{"@id":"https:\/\/xopero.com\/blog\/#organization"},"image":{"@id":"https:\/\/xopero.com\/blog\/en\/nis2-directive\/#primaryimage"},"thumbnailUrl":"https:\/\/xopero.com\/blog\/wp-content\/uploads\/2025\/10\/all-to-know-about-nis2-directive-new.png","articleSection":["Cyberlaw"],"inLanguage":"pl-PL"},{"@type":"WebPage","@id":"https:\/\/xopero.com\/blog\/en\/nis2-directive\/","url":"https:\/\/xopero.com\/blog\/en\/nis2-directive\/","name":"Your complete guide to the NIS2 directive","isPartOf":{"@id":"https:\/\/xopero.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/xopero.com\/blog\/en\/nis2-directive\/#primaryimage"},"image":{"@id":"https:\/\/xopero.com\/blog\/en\/nis2-directive\/#primaryimage"},"thumbnailUrl":"https:\/\/xopero.com\/blog\/wp-content\/uploads\/2025\/10\/all-to-know-about-nis2-directive-new.png","datePublished":"2025-09-24T13:05:40+00:00","dateModified":"2025-12-05T14:29:33+00:00","description":"Learn what NIS2 directive is, whether it is in force, who it applies to, what the applicable penalties and the requirements for it.","breadcrumb":{"@id":"https:\/\/xopero.com\/blog\/en\/nis2-directive\/#breadcrumb"},"inLanguage":"pl-PL","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xopero.com\/blog\/en\/nis2-directive\/"]}]},{"@type":"ImageObject","inLanguage":"pl-PL","@id":"https:\/\/xopero.com\/blog\/en\/nis2-directive\/#primaryimage","url":"https:\/\/xopero.com\/blog\/wp-content\/uploads\/2025\/10\/all-to-know-about-nis2-directive-new.png","contentUrl":"https:\/\/xopero.com\/blog\/wp-content\/uploads\/2025\/10\/all-to-know-about-nis2-directive-new.png","width":1200,"height":600,"caption":"Your complete guide to the NIS2 directive"},{"@type":"BreadcrumbList","@id":"https:\/\/xopero.com\/blog\/en\/nis2-directive\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Strona g\u0142\u00f3wna","item":"https:\/\/xopero.com\/blog\/pl\/"},{"@type":"ListItem","position":2,"name":"NIS2 in Practice: All You Need to Know"}]},{"@type":"WebSite","@id":"https:\/\/xopero.com\/blog\/#website","url":"https:\/\/xopero.com\/blog\/","name":"Xopero Blog","description":"Backup &amp; Recovery","publisher":{"@id":"https:\/\/xopero.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xopero.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"pl-PL"},{"@type":"Organization","@id":"https:\/\/xopero.com\/blog\/#organization","name":"Xopero Software","url":"https:\/\/xopero.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"pl-PL","@id":"https:\/\/xopero.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xopero.com\/blog\/wp-content\/uploads\/2019\/03\/xopero-niebieskie.png","contentUrl":"https:\/\/xopero.com\/blog\/wp-content\/uploads\/2019\/03\/xopero-niebieskie.png","width":500,"height":132,"caption":"Xopero Software"},"image":{"@id":"https:\/\/xopero.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/XoperoSoftware\/","https:\/\/x.com\/xoperobackup","https:\/\/www.linkedin.com\/company\/opero-sp-z-o-o-\/?viewAsMember=true","https:\/\/www.youtube.com\/channel\/UCRPWyeo1apjSgkDW3hZpB9g?reload=9"]},{"@type":"Person","@id":"https:\/\/xopero.com\/blog\/#\/schema\/person\/608de6d75eb1ac2a48799895263fc00d","name":"\u0141ukasz Dydek, Technical Content Writer","image":{"@type":"ImageObject","inLanguage":"pl-PL","@id":"https:\/\/xopero.com\/blog\/wp-content\/uploads\/2025\/09\/Lukasz-dydek-technical-content-writer_avatar.jpg","url":"https:\/\/xopero.com\/blog\/wp-content\/uploads\/2025\/09\/Lukasz-dydek-technical-content-writer_avatar.jpg","contentUrl":"https:\/\/xopero.com\/blog\/wp-content\/uploads\/2025\/09\/Lukasz-dydek-technical-content-writer_avatar.jpg","caption":"\u0141ukasz Dydek, Technical Content Writer"},"url":"https:\/\/xopero.com\/blog\/author\/lukasz-dydek\/"}]}},"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/xopero.com\/blog\/wp-json\/wp\/v2\/posts\/7115","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/xopero.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xopero.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xopero.com\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/xopero.com\/blog\/wp-json\/wp\/v2\/comments?post=7115"}],"version-history":[{"count":31,"href":"https:\/\/xopero.com\/blog\/wp-json\/wp\/v2\/posts\/7115\/revisions"}],"predecessor-version":[{"id":8039,"href":"https:\/\/xopero.com\/blog\/wp-json\/wp\/v2\/posts\/7115\/revisions\/8039"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xopero.com\/blog\/wp-json\/wp\/v2\/media\/7352"}],"wp:attachment":[{"href":"https:\/\/xopero.com\/blog\/wp-json\/wp\/v2\/media?parent=7115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xopero.com\/blog\/wp-json\/wp\/v2\/categories?post=7115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xopero.com\/blog\/wp-json\/wp\/v2\/tags?post=7115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}